Security hole in ack versions 2.00 to 2.11_02.

Please upgrade to ack 2.12 ASAP.

ack is a grep-like tool that is specifically created to make
searching source code easier. One of the features added in ack
2.00 was the ability to have command line options in per-project
.ackrc files. This has led to a serious security hole.

The --pager, --regex and --output
options are powerful tools for users to manage the output of
ack, but with carefully crafted parameters, they
can be used to execute arbitrary code.

An attacker could create a .ackrc file with malicious
--pager, --regex or --output options
that would get used by ack. The malicious .ackrc could be put
into code that a user would download and search with ack, and
an unsuspecting user would then execute these options without
realizing it. This malicious .ackrc could be, for example, in
a source code tarball, or a checkout of a project from a code
hosting site like GitHub or SourceForge.

ack 2.12 has solved this problem by disallowing the
--pager, --regex or --output options
in a per-project .ackrc file. They are still allowed in a
global ackrc file, your own personal .ackrc file, the ACK_OPTIONS
environment variable, and on the command line.